How Law Enforcement Agencies Fight Cyber Crime

Information security professionals have a plethora of technological tools at their disposal to fight would-be attackers—and more are on the way. The traditional prevention, detection and response technologies are soon to be augmented by innovative new tools that can do things such as spoof entire network topographies on the fly to deceive attackers.

Yet a panel of federal law enforcement officials told attendees at the RSA Conference Thursday that perhaps the most effective weapon in their arsenal is threat intelligence from outside sources.

None made that point more definitively than William Noonan, deputy special agent in charge of the criminal investigations division of the U.S. Secret Service. Noonan said the agency has taken the "secret" out of Secret Service on this topic by sharing the findings of its investigation with the larger information security community.

"We've had a lot of success with prevention because we're sharing the information with industry," he said. And he offered up an example of that success.

After finishing the investigation of a recent attack, the Secret Service shared its findings about how the attack was launched. That information helped UPS deduce that it had already been victimized by the very same attack, and the company was able to take steps to prevent an encore.

The U.S. Department of Justice is taking a similar approach.

"We're trying to take what we're learning from our cases and push that out when we can," said John Lynch, chief of the DOJ's computer crime and intellectual property section.

Lynch said the department is looking for opportunities to provide guidance along the lines of the UPS example, as well as answer questions and even take in outreach itself so it can make better decisions. For example, Lynch said the DOJ shared its best practices for working with law enforcement on cyber crimes, such as the kinds of questions prosecutors and investigators are likely to ask a victimized company.

Keith Mularski, supervisory special agent with the FBI, said that such coordination has proved critical in attempts to get ahead of today's increasingly sophisticated attackers.

"If you look at cases during the last five years, we never could have done it without private industry," Mularski said.

"One of the things you learn after doing this for a while is that we're not going to capture everybody," he said.

Which is why Noonan strongly recommends that companies form relationships with law enforcement now rather than later. Waiting until a breach happens to approach a law enforcement agency is a strategy that could come with a hefty price tag for the target organization.

"It speeds up the response if you already have the relationship," he said, pointing to the 2014 Target breach, which wasn't discovered until two weeks after the attack. "Those two weeks of badness could have stretched much longer without information sharing."

And it's safe to assume that there's not a security executive in the world who wants to endure more badness.